OAuth Authentication - An Overview

Zoho Creator's v2 APIs are RESTful APIs that use OAuth 2.0 ⁠— an open standard authorization framework that enables client applications to gain limited access to a user's data without giving away the user's password.

TermDescription
Resource owner or userAn end user who can grant access to your Zoho Creator account's resources
Protected resource or scopeThe Zoho Creator resource such as the data in your Creator application and its meta-information
Client applicationA web, mobile or another type of application that requires access to your Creator resources
Client ID and client secretCredentials accorded by Zoho to a client application to authenticate API requests from it
Authorization codeA very short-lived code that's accorded to the client application, which can be exchanged for an access token
Access tokenA short-lived token that allows the client application to access the protected resource
Refresh tokenA relatively longer-lived token that's used to fetch additional access tokens for the client application
How OAuth works

  1. The client application requests authorization to access the protected resource owned by the resource owner.
  2. The resource owner first authenticates the client and then authorizes it to access the requested resource by giving it an authorization code. (Zoho Creator uses the authorization code grant type)
  3. The client exchanges the authorization code for an access token and optionally a refresh token as well.
  4. If its identity and authorization code are authenticated, the client receives the said tokens.
  5. The client requests access to the protected resource by presenting its access token.
  6. If the access token is valid, the client receives the requested resource.
Scopes

In OAuth 2.0, scope is a mechanism to limit the client application's access to the protected resources—here, the data in your Creator account and applications.

ScopePurpose
ZohoCreator.form.CREATETo add records in forms
ZohoCreator.report.CREATETo upload files in records that are displayed in reports
ZohoCreator.report.READ
  • To fetch data from the records displayed in reports
  • To download files from records that are displayed in reports
ZohoCreator.report.UPDATETo update records that are displayed in reports
ZohoCreator.report.DELETETo delete records that are displayed in reports
ZohoCreator.meta.form.READTo get the information about the fields in a form
ZohoCreator.meta.application.READ
  • To get the list of forms, reports, and pages in applications
  • To get the information about the application sections
ZohoCreator.dashboard.READTo get the list of applications
Registering and managing the clients
  1. Register the client application
  2. Request the authorization code
  3. Generate the access and refresh tokens
  4. Refresh the access token
  5. Revoke the refresh token